Solved: Network Infrastructure Router vs ASA Device

dmayo0317 · ‎12-03-2009

Hi Everyone, I am currently working on an entire network upgrade for my company. I am working on a network security solution that will enable users to use Cisco IPSec VPN's. I have been doing my research and for my user base of about 50 users, I decided to go with a Cisco ASA 5510 Security Plus and a Cisco 2851 to do any major routing. The reason for using Cisco is due to the fact we have Mac's and iPhone's within our organization and they have native support Cisco IPSec VPN's. I was speaking with Cisco engineers and they recommended the ASA5510 with the 2851 router. My question is why the router as well? Currently we have a PIX 506e and it is doing the job fine without a separate router appliance..

a)What would the benefits to having a separate router be to my organization, we currently operate on a 24 bit network with no other subnets.

b)Any future benefits to doing this?

c)What are the main reasons people have a separate firewall and router?

Basically the way I am looking at this;

My ASA device would be connected to our WAN (Internet Connection). The router would be behind the ASA device on our private network with a private IP. So what is the point of having the router there?

Please if you guys could provide me with some reasons to have a router and an ASA device. Comments like "performance" don't really help me. As anyone can say it but please give examples. I would really appreciate it.

Edison Ortiz · ‎12-03-2009

I agree with Jon on his assesment but perhaps the router was recommended in the inside to run some kind of CallManager service?

You mentioned having IP Phones, ISR routers such as the 2851 provide a very nice CallManager service for a low price.

As Jon mentioned, having it outside provides WAN interfaces not available in the ASA and feature rich services like QoS and Netflow.

Regards

Edison.

View solution in original post

Jon Marshall · ‎12-03-2009

dmayo0317 wrote:

Great information guys, I truely appreciate it.

Basically we are using a PIX 506e right now and it is doing a fine job. It was not recommended to me inside my network thats just how I first pictured it.

We do have a 5Mbps fibre connection, but, it goes through a media converter into our current PIX.

So I guess now my question would be, is if I put it on the outside of my network besides the obvious benefits as stated is there any reason to have one. What benefits would I be getting if I put it on outside the network? What could I do with the router that I could not do with the ASA besides having a many more expansion modules and things like that.

I guess if I did alot of complex routing it would take the load off the ASA device, or redirecting traffic to the internal network it would be nice to have. But I'm wondering if I should just go with the ASA device and then as we grow, purchase the router if needed.

Dave

Again, not clear what you would gain. Routers do have much better QOS feature set but then again if it is just an internet connection then QOS is not that relevant.

If you needed WAN connecitvity ie. you go another office for example then the router may well be useful although it's questionable whether you would then want the router on the outside of the ASA.

I am not saying you do not need a router although with the facts given i am struggling to see why you need one at the moment. But if you have been recommended to buy a router as well as an ASA there may be a very good reason that we have not covered.

It really would be worth going back and asking why you were recommended a router as well as a firewall just in case we have missed some requirement you have.

Jon

View solution in original post

Jon Marshall · ‎12-03-2009

dmayo0317 wrote:
Hi Everyone,    I am currently working on an entire network upgrade for my company. I am working on a network security solution that will enable users to use Cisco IPSec VPN's. I have been doing my research and for my user base of about 50 users, I decided to go with a Cisco ASA 5510 Security Plus and a Cisco 2851 to do any major routing.    The reason for using Cisco is due to the fact we have Mac's and iPhone's within our organization and they have native support Cisco IPSec VPN's. I was speaking with Cisco engineers and they recommended the ASA5510 with the 2851 router. My question is why the router as well? Currently we have a PIX 506e and it is doing the job fine without a separate router appliance..
a)What would the benefits to having a separate router be to my organization, we currently operate on a 24 bit network with no other subnets.
b)Any future benefits to doing this?
c)What are the main reasons people have a separate firewall and router?
Basically the way I am looking at this;
My ASA device would be connected to our WAN (Internet Connection). The router would be behind the ASA device on our private network with a private IP. So what is the point of having the router there?
Please if you guys could provide me with some reasons to have a router and an ASA device. Comments like "performance" don't really help me. As anyone can say it but please give examples. I would really appreciate it.

Dave

a) To be honest not much really. Even if you had a number of vlans within your LAN you could use a L3 switch rather than a router. Was the router recommended for inside your network ? One of the reasons to have a router is because it supports a lot more interface types whereas the ASA device can only handle ethernet. If the internet connection is being presented as ethernet then i'm not sure what benefit you get from having a router as well.

One thing to note though. An ASA should not be used as router if you can avoid it. If you only have 1 /24 subnet in your LAN and you do not need to route within your LAN then the ASA should be fine on it's own. If you do need to route then as i say a L3 switch or router would be good.

b) Well think i've answered this in a). If you need to segement your LAN then a device capable of routing would be needed and the router could do this for you although purely for LAN routing i would look at a L3 switch to be honest.

c) Again, partly answered already. Routers offer the most flexibility in terms of functionality over both firewalls and switches. Routers can actually run a firewall themselves. They have more interface types, they have a much richer QOS feature set etc..

If you are sure the router was recommended for inside the LAN as opposed to outside the ASA it may be worth asking what benefit it is supposed to give you. Bear in mind also that routers such as the 2800 series can also take a switch module so you have a combined router/switch in the same chassis so they may be recommending that for you.

Jon

Edison Ortiz · ‎12-03-2009

I agree with Jon on his assesment but perhaps the router was recommended in the inside to run some kind of CallManager service?

You mentioned having IP Phones, ISR routers such as the 2851 provide a very nice CallManager service for a low price.

As Jon mentioned, having it outside provides WAN interfaces not available in the ASA and feature rich services like QoS and Netflow.

Regards

Edison.

dmayo0317 · ‎12-03-2009

Great information guys, I truely appreciate it.

Basically we are using a PIX 506e right now and it is doing a fine job. It was not recommended to me inside my network thats just how I first pictured it.

We do have a 5Mbps fibre connection, but, it goes through a media converter into our current PIX.

So I guess now my question would be, is if I put it on the outside of my network besides the obvious benefits as stated is there any reason to have one. What benefits would I be getting if I put it on outside the network? What could I do with the router that I could not do with the ASA besides having a many more expansion modules and things like that.

I guess if I did alot of complex routing it would take the load off the ASA device, or redirecting traffic to the internal network it would be nice to have. But I'm wondering if I should just go with the ASA device and then as we grow, purchase the router if needed.

Jon Marshall · ‎12-03-2009

dmayo0317 wrote:

Great information guys, I truely appreciate it.

Basically we are using a PIX 506e right now and it is doing a fine job. It was not recommended to me inside my network thats just how I first pictured it.

We do have a 5Mbps fibre connection, but, it goes through a media converter into our current PIX.

So I guess now my question would be, is if I put it on the outside of my network besides the obvious benefits as stated is there any reason to have one. What benefits would I be getting if I put it on outside the network? What could I do with the router that I could not do with the ASA besides having a many more expansion modules and things like that.

I guess if I did alot of complex routing it would take the load off the ASA device, or redirecting traffic to the internal network it would be nice to have. But I'm wondering if I should just go with the ASA device and then as we grow, purchase the router if needed.

Dave

Again, not clear what you would gain. Routers do have much better QOS feature set but then again if it is just an internet connection then QOS is not that relevant.

If you needed WAN connecitvity ie. you go another office for example then the router may well be useful although it's questionable whether you would then want the router on the outside of the ASA.

I am not saying you do not need a router although with the facts given i am struggling to see why you need one at the moment. But if you have been recommended to buy a router as well as an ASA there may be a very good reason that we have not covered.

It really would be worth going back and asking why you were recommended a router as well as a firewall just in case we have missed some requirement you have.

Jon

dmayo0317 · ‎12-03-2009

Hi Jon,

I plan on doing that tomorrow, however, I never got a site survey or anything. It was just a Cisco salesman saying it is Cisco recommended. As you can see where I am going with this.

Thank you both for your great answers.